What is the http-header “X-XSS-Protection”?

Question

So I\'ve been toying around with HTTP for fun in telnet now (i.e. just typing in telnet google.com 80 and putting in random GETs and POSTs with different header

Answer 1

• X-XSS-Protection: 1 : Force XSS protection (useful if XSS protection was disabled by the user)

• X-XSS-Protection: 0 : Disable XSS protection

• The token mode=block will prevent browser (IE8+ and Webkit browsers) to render pages (instead of sanitizing) if a potential XSS reflection (= non-persistent) attack is detected.

/!\ Warning, mode=block creates a vulnerability in IE8 (more info).

More informations : http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx and http://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/